aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2013-09-25 23:03:08 +0200
committerMichael Niedermayer <michaelni@gmx.at>2013-09-25 23:03:08 +0200
commit210a437e105fbd92f1dd9c2c82f4a5efd80ca8fd (patch)
treecc8e853469bf8e2e26b08d086c11cd19132edcd4
parent3308b443f9342cd597a9d7440d2315f0a65b1566 (diff)
parent54e03863691dcae73260f70108b3731b70773e7c (diff)
downloadffmpeg-210a437e105fbd92f1dd9c2c82f4a5efd80ca8fd.tar.gz
Merge commit '54e03863691dcae73260f70108b3731b70773e7c' into release/0.10
* commit '54e03863691dcae73260f70108b3731b70773e7c': vc1: check the source buffer in vc1_mc functions bink: Bound check the quantization matrix. xl: Make sure the width is valid alsdec: Fix the clipping range dsicinav: Bound-check the source buffer when needed mov: Do not allow updating the time scale after it has been set ac3dec: Don't consume more data than the actual input packet size indeo: Reject impossible FRAMETYPE_NULL Conflicts: libavcodec/alsdec.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/ac3dec.c2
-rw-r--r--libavcodec/alsdec.c18
-rw-r--r--libavcodec/bink.c3
-rw-r--r--libavcodec/dsicinav.c4
-rw-r--r--libavcodec/ivi_common.c8
-rw-r--r--libavcodec/vc1dec.c15
-rw-r--r--libavcodec/xl.c5
-rw-r--r--libavformat/mov.c5
8 files changed, 52 insertions, 8 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 9384dc7fbf..c11df7f9d0 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1345,7 +1345,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
av_log(avctx, AV_LOG_ERROR, "unsupported frame type : "
"skipping frame\n");
*got_frame_ptr = 0;
- return s->frame_size;
+ return buf_size;
} else {
av_log(avctx, AV_LOG_ERROR, "invalid frame type\n");
}
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 643d25ee2f..d5a805cb63 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1159,6 +1159,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
return 0;
}
+static inline int als_weighting(GetBitContext *gb, int k, int off)
+{
+ int idx = av_clip(decode_rice(gb, k) + off,
+ 0, FF_ARRAY_ELEMS(mcc_weightings) - 1);
+ return mcc_weightings[idx];
+}
/** Read the channel data.
*/
@@ -1179,14 +1185,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
if (current->master_channel != c) {
current->time_diff_flag = get_bits1(gb);
- current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
- current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)];
- current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
+ current->weighting[0] = als_weighting(gb, 1, 16);
+ current->weighting[1] = als_weighting(gb, 2, 14);
+ current->weighting[2] = als_weighting(gb, 1, 16);
if (current->time_diff_flag) {
- current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
- current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
- current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
+ current->weighting[3] = als_weighting(gb, 1, 16);
+ current->weighting[4] = als_weighting(gb, 1, 16);
+ current->weighting[5] = als_weighting(gb, 1, 16);
current->time_diff_sign = get_bits1(gb);
current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3;
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 16e3fd67a9..71b7d5fdc2 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -679,6 +679,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
quant_idx = q;
}
+ if (quant_idx >= 16)
+ return AVERROR_INVALIDDATA;
+
quant = quant_matrices[quant_idx];
block[0] = (block[0] * quant[0]) >> 11;
diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index 89de99d9a9..88187bb35f 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -188,11 +188,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char
while (src < src_end && dst < dst_end) {
code = *src++;
if (code & 0x80) {
+ if (src >= src_end)
+ break;
len = code - 0x7F;
memset(dst, *src++, FFMIN(len, dst_end - dst));
} else {
len = code + 1;
- memcpy(dst, src, FFMIN(len, dst_end - dst));
+ memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
src += len;
}
dst += len;
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 3bf9455411..ec730cec82 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -822,6 +822,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
}
}
}
+ } else {
+ if (ctx->is_scalable)
+ return AVERROR_INVALIDDATA;
+
+ for (p = 0; p < 3; p++) {
+ if (!ctx->planes[p].bands[0].buf)
+ return AVERROR_INVALIDDATA;
+ }
}
//STOP_TIMER("decode_planes"); }
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 7577f82408..d2f099871d 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -395,6 +395,11 @@ static void vc1_mc_1mv(VC1Context *v, int dir)
}
}
+ if (!srcY || !srcU) {
+ av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n");
+ return;
+ }
+
src_x = s->mb_x * 16 + (mx >> 2);
src_y = s->mb_y * 16 + (my >> 2);
uvsrc_x = s->mb_x * 8 + (uvmx >> 2);
@@ -570,6 +575,11 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir)
} else
srcY = s->next_picture.f.data[0];
+ if (!srcY) {
+ av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n");
+ return;
+ }
+
if (v->field_mode) {
if (v->cur_field_type != v->ref_field_type[dir])
my = my - 2 + 4 * v->cur_field_type;
@@ -856,6 +866,11 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir)
srcV = s->next_picture.f.data[2] + uvsrc_y * s->uvlinesize + uvsrc_x;
}
+ if (!srcU) {
+ av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n");
+ return;
+ }
+
if (v->field_mode) {
if (chroma_ref_type) {
srcU += s->current_picture_ptr->f.linesize[1];
diff --git a/libavcodec/xl.c b/libavcodec/xl.c
index 78f34afa4e..50bd5f4fbf 100644
--- a/libavcodec/xl.c
+++ b/libavcodec/xl.c
@@ -69,6 +69,11 @@ static int decode_frame(AVCodecContext *avctx,
stride = avctx->width - 4;
+ if (avctx->width % 4) {
+ av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if (buf_size < avctx->width * avctx->height) {
av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
return AVERROR_INVALIDDATA;
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 65d8798276..7ac838cf09 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -754,6 +754,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = c->fc->streams[c->fc->nb_streams-1];
sc = st->priv_data;
+ if (sc->time_scale) {
+ av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n");
+ return AVERROR_INVALIDDATA;
+ }
+
version = avio_r8(pb);
if (version > 1) {
av_log_ask_for_sample(c, "unsupported version %d\n", version);